Watermark-based access control method and device

ABSTRACT

A method of controlling access to a resource using a verifying device uses watermarking device that embeds an authorization code in a signal using watermarking technology. The watermarked signal is then transmitted to a verifying device, e.g. as a television or radio program or as a commercial related to the resource. In the verifying device, the authorization code is extracted from the watermarked signal and an operation to be performed on the resource is authorized in dependence on the extracted authorization code. Preferably the authorization includes permission for executing a program, rendering and/or copying a multimedia object or for activating a cheat function in an electronic game.

The invention relates to a method of controlling access to a resourcesuch as a computer program or a multimedia object. The invention furtherrelates to a verifying device arranged for controlling access to aresource.

Watermarking, the process of inserting extra information in a signalsuch as an audio or video signal, is an important and well-knowntechnique to mark or protect those signals. A movie can be watermarkedso its origin can be identified, or unauthorized copies can bedistinguished from the original. Watermarks can be used with stillimages to locate copies reproduced by unauthorized third parties, bysimply downloading images from the information services offered by thosethird parties and examining the downloaded images for the watermark.

Watermarks can also be used to embed metadata, such as an InternetUniform Resource Locator (URL), in the input signal, for instance in amovie. Upon receiving a signal with the embedded extra information, adevice can decode the URL and fetch the associated resource fordisplaying it to the user. A user who views the movie at his personalentertainment station can thus access the embedded metadata to access,for instance, the World-Wide Web site of the movie.

International patent application PCT/EP01/12712 by the same applicant asthe present application describes how a command can be transmitted to acontrollable device by embedding it using watermarking techniques in asignal like a television program or a piece of music. A watermarkdetector in the controllable device picks up the signal, preferablythrough the acoustical domain, detects the watermarked command andexecutes it. The controllable device is preferably embodied as a toy,which can then be controlled to “play along” with a children'stelevision program.

In another application of watermarking, rights regarding the copyingand/or playback of a multimedia object like a movie or song are embeddedin the multimedia object using watermarking technology. A playback orcopying apparatus can then extract these rights from the multimediaobject and operate in accordance with the extracted rights, e.g. byrefusing to copy the multimedia object if no copying rights are embeddedin the object.

However, this application of watermarking suffers from the drawback thatthe rights embedded in the multimedia object cannot be easily modified.This makes it difficult to later provide additional rights, or to revokepreviously granted rights for the multimedia object.

It is an object of the invention to provide a method according to thepreamble, which provides a flexible way to authorize operations on theresource.

This object is achieved according to the invention in a methodcomprising embedding an authorization code in a signal by means of awatermark and transmitting the watermarked signal to a verifying device,and in the verifying device, extracting the authorization code from thewatermarked signal and authorizing an operation to be performed on theresource in dependence on the extracted authorization code.

By embedding the authorization code using watermarks in a signal, theauthorization codes can be supplied to. the verifying device without theneed for special communication channels between an entity supplyingauthorization and the verifying device. In effect, the normallyavailable audio and/or video transmission channels are used to supplyauthorization codes to the verifying device. Further, new authorizationcodes, as well as revocations for previously supplied authorizationcodes, can easily be supplied by embedding them in subsequent signalstransmitted in the same way.

The signal in which the authorization code is embedded does notrepresent the resource to which the authorization code applies. Rather,the signal is merely used as a carrier for getting the authorizationcode to the verifying device controlling access to the resource.

In an embodiment the resource comprises a computer program and theauthorization code causes the verifying device to grant permission forexecuting the program. Execution of programs can be controlled usingso-called license managers. License managers are computer programs thatcontrol the execution of other programs based on license codes.Ordinarily these license codes have to be purchased from a supplier andentered into the license manager software to enable execution of theprograms under its control. In this embodiment the license code issupplied as an authorization code embedded in a signal, making itpossible to automatically extract the license code and supply it to thelicense manager. The license manager will then allow a user to executethe computer program based on the license code.

In a further embodiment the resource comprises a computer program andthe authorization code causes the verifying device to grant permissionfor activating a module of the computer program. One way to promote acomputer program is to distribute a so-called “shareware” version, inwhich part of the functionality is disabled. This allows potentialbuyers of the program to try it out for free. As the disabled functionscan be seen but not used, users of the shareware version are encouragedto buy the whole program.

Typically buying the full version of a program is done by purchasing alicense code that is to be entered in the shareware program. If theright code is entered, the disabled modules are enabled and the fullfunctionality becomes available. This embodiment of the invention makesit possible to enable such a disabled module using a license codeembedded in a signal such as a commercial promoting the computerprogram, or a television program reviewing the program.

In a further embodiment the resource comprises an electronic game andthe authorization code causes the verifying device to grant permissionfor activating a cheat function in the electronic game. A cheat codeallows the player of an electronic game to access functionality of thegame that would normally not be accessible. For example, the player'scharacter could be invincible in the game for a certain time, receiveextra points or weapons, and so on.

Normally, such cheat codes are distributed as alphanumerical strings orsequences of buttons to be pressed (“press left-left-up-right-escape tobecome invincible”). In this embodiment the authorization code providesa cheat code for use in the electronic game. This makes it much easierfor the player to activate the cheat function. The authorization codecould be embedded in a television program related to electronic games.This encourages players to watch the television program because theywant to obtain the cheat codes.

In a further embodiment the resource comprises a multimedia object andthe authorization code causes the verifying device to grant permissionfor at least one of: a rendering of the multimedia object and the makingof a copy of the multimedia object. Digital rights management (DRM)systems can be used to enforce restrictions on rendering and/or copyingof multimedia objects. This forces people to obtain “rights” orpermissions for rendering and/or copying. The present invention makes itpossible to grant these “rights” by embedding them in signals likely tobe received by verifying devices coupled to DRM systems.

The signal could e.g. represent an advertisement related to themultimedia object. If, after hearing the advertisement a user receives a(preferably one-time) playback right for a multimedia object, he will begreatly encouraged to also view future advertisements, and to buy theadvertised product, which will typically be an item like a recordcarrier comprising the multimedia object or a concert by the artistperforming the multimedia object.

Preferably, in the above embodiments the permission is limited in time.This way, the effect of the permission can be limited to a certain timeperiod. It also realizes a greater audience for entities transmittingthe watermarked signals, such as television broadcasters, radio stationsand so on, as people wishing to make use of the authorization codes nowmust obtain these codes before the limited time expires.

In a further embodiment the resource comprises a computer program andthe authorization code causes the verifying device to revoke apreviously granted permission for executing the program. This makes itpossible to distribute programs that are only supposed to be executedfor a limited time, such as beta or test versions of a program.

In a variant of this embodiment the authorization code further causesthe verifying device to authorize a further operation to be performed onthe resource. It is to be expected that users will try to avoidreceiving authorization codes that revoke previously grantedpermissions. One way to overcome this problem is to provide a positiveauthorization together with the revocation.

For example, if the authorization code revokes permission to execute abeta version of a computer program, it could at the same time grantpermission to execute the official release version of that computerprogram. This way a beta tester is encouraged to allow revocation of thebeta version. Preferably this further authorization is delayed until apredetermined time has elapsed after the revocation took place.

In a further embodiment the signal comprises an advertisement related tothe resource. This has the advantage that a person listening to orviewing the signal can easily associate any authorizations granted bythe embedded authorization codes with resources to which theauthorizations apply. Further, it encourages the viewing or listening toadvertisements.

It is a further object of the invention to provide a verifying deviceaccording to the preamble, which is capable of handling authorizationsin a flexible matter.

This object is achieved according to the invention in a verifying devicecomprising receiving means for receiving a watermarked signal, watermarkdetection means for detecting an authorization code embedded in thewatermarked signal, and access control means for authorizing anoperation to be performed on the resource in dependence on the extractedauthorization code.

A very flexible channel is obtained by transporting the authorizationcode to the verifying device embedded in a watermark in a signal. Ifnew, updated or otherwise modified authorization codes need to besupplied, or previously granted permissions need to be revoked, they cansimply be embedded in a new signal transmitted to the verifying device.The verifying device does not need to have a special connection to anyentity supplying authorization codes. It could simply tune in tobroadcasted radio or TV signals, or detect watermarks in audio signalspicked up using a microphone, and so on.

Thus, in terms of technical effects produced by the invention, theverifying device no longer needs a separate channel for receivingauthorizations, can handle authorizations varying in time for oneparticular multimedia object without having to update the multimediaobject, and can activate, modify or deactivate functionality in aresource like a computer.

In an embodiment the authorization code comprises a timestamp and theaccess control means are arranged for authorizing the operation furtherin dependence on a comparison of the timestamp against a current time.This way the access control means can determine the validity of theextracted authorization code. The access control means can then ignoreauthorization codes extracted after the end of a validity periodindicated by the timestamp, and/or automatically revoke authorizationsgranted once the validity indicated by the timestamp expires.

The invention further relates to a computer program product arranged forcausing a general purpose computer to function as the verifying deviceof the invention. The invention further relates to a signal in which anauthorization code is embedded by means of a watermark. Preferably thecomputer program product and/or the signal are embodied on a carriersuch as a compact disc, a Digital Versatile Disc, a video tape or afloppy disc.

These and other aspects of the invention will be apparent from andelucidated with reference to the embodiments shown in the drawing, inwhich:

FIG. 1 schematically shows a system comprising a transmitter and averifying device in accordance with the invention;

FIG. 2 schematically illustrates various applications of the methodaccording to the invention.

Throughout the figures, same reference numerals indicate similar orcorresponding features. Some of the features indicated in the drawingsare typically implemented in software, and as such represent softwareentities, such as software modules or objects.

FIG. 1 schematically shows a system 100 comprising a watermarking device110, a rendering device 114, a network 119 and a verifying device 130configured to control access to a resource 140.

A receiving module 111 in the watermarking device 110 receives a contentitem, which is for instance a television program, a radio program, amovie, an advertisement or commercial, a picture or a sound or a portionthereof. It is usually received through a network such as the Internet,a satellite feed or a home network from a distributor 117 such as atelevision broadcasting organization. Alternatively, it can be loadedfrom local storage 118 which can be a tape or a disk such as a DVD orVideo CD. It can also be a hard disk on which it has been previouslyrecorded for later viewing.

In accordance with the invention, an authorizing module 112 determinesan authorization code that is to be embedded in the content item. Theauthorization code can e.g. be obtained from an external source, be readfrom local storage 118 or be input by an operator of the watermarkingdevice 110. A more detailed description of possible authorization codesand their uses can be found below with reference to FIG. 2.

An embedding module 113 embeds the authorization code in the contentitem, producing watermarked signal 120, using any kind of watermarkingor other steganographic technique appropriate for the content 116. Thewatermarked signal 120 is then fed to rendering device 114 over atransmission medium 119, which can be e.g. a network such as theInternet, a satellite feed or a cable television network.

The rendering device 114 outputs the received signal 120 using audiooutput module 115 and/or video output module 116. If the signal 120comprises audio and video signals, respective outputs may besynchronized with each other. In this embodiment the watermarked signal120 is an audio signal, but it can equally well be a video signal. Byrendering the watermarked signal 120 in this fashion, the verifyingdevice 130 is able to receive it. Alternatively, the watermarked signal120 could be transmitted directly to the verifying device 130, forexample using a network connection between the watermarking device 110and the verifying device 130.

The verifying device 130 comprises receiving module 131, decoding module132 and access control module 133. The receiving module 131 receives thewatermarked audio signal 120 and feeds it to the decoding module 132.The receiving module 131 can be for instance a microphone, a camera or alight sensitive sensor of some kind.

The decoding module 132 processes the watermarked audio signal 120 toobtain the authorization code embedded therein. Detecting a watermarkand extracting embedded information is well known in the art and willnot be elaborated upon further. The authorization code is then fed tothe access control module 133.

The access control module 133 is arranged to control access to aresource 140, which in the embodiment of FIG. 1 comprises a computerprogram running on a personal computer. In the context of computerprograms, controlling access refers to things like granting permissionfor execution of the program, revoking a previously granted permissionfor execution of the program, granting permission for activation of amodule of the program and so on. A user of the personal computer will beunable to execute the program or activate the module unless permissionhas been granted by the access control module 133. Ways for controllingaccess are discussed more extensively with reference to FIG. 2 below.

In accordance with the invention, the access control module 133 controlsaccess to the resource 140 in dependence on the authorization codeextracted from the watermarked signal 120 by the decoding module 132.This way, it is possible to grant or revoke permissions, or to otherwisecontrol access to the resource 140, in a very flexible way by simplytransmitting a new watermarked signal with an authorization code everytime a new permission is to be granted or revoked.

The watermarking device 110 can be realized as a computer programproduct being arranged for causing a processor to execute the stepsdescribed above. The computer program product enables a programmabledevice when executing said computer program product to function as thewatermarking device 110. Similarly, the verifying device 130 can berealized as a computer program product enabling a programmable devicewhen executing said computer program product to function as theverifying device 130.

The above description gives a general overview of the functionality ofdistributing watermarked content. Various ways are possible to realizethe watermarking device 110 and the verifying device 130, with differentadvantages and possibilities.

FIG. 2 schematically illustrates various applications of the methodaccording to the invention. The verifying device 130 is in FIG. 2operably connected to a content playback apparatus 210, a gaming device220, a personal computer 230, and a cash register 240. Using thisconnection, the verifying device 130 can control access to and/oroperations of the devices 210, 220, 230, 240. Of course the verifyingdevice 130 could also be connected to a great variety of other devices,such as telephone booths, vending machines, Internet access terminals ortoys.

The connection between the verifying device 130 and the devices 210,220, 230, 240 can be wired or wireless, depending on what kind of deviceverifying device 130 is connected to. In FIG. 2, the connection with thegaming device 220 and the cash register 240 is wireless, and theconnection with the devices 210 and 230 is wired. The verifying device130 can also be embodied as a component installed inside the devices210, 220, 230, 240.

When an authorization code is extracted from the watermarked signal 120,the access control module 133 checks whether the authorization code isapplicable for any of the resources to which is connected: If this isnot the case, the authorization code is ignored. Otherwise the accesscontrol module 133 performs an action appropriate for the authorizationcode and the resource to which the code applies. This will now beillustrated using various exemplary, non-limiting embodiments.

In a first example, the resource comprises a computer program 231 to beexecuted on the personal computer 230. The verifying device 130 is nowpreferably realized as a computer program running on the personalcomputer 230, although it could also be realized as one or more hardwaremodules installed in the personal computer 230, or as a separate devicelike in FIG. 2. Embodying the verifying device 130 as a part of thepersonal computer 230 has the advantage that components like themicrophone 131 can be omitted, as they are usually present in thepersonal computer 230 already.

The authorization code now represents a license code granting permissionfor executing the computer program 231. By itself it is known in thefield of computer software that execution of programs can be controlledusing so-called license managers. License managers are computer programsthat control the execution of other programs based on license codes.These known techniques can be adapted to work with the invention bysupplying the authorization code to the license manager, which willsubsequently allow a user to execute the computer program 231 based onthe authorization code.

In a related embodiment, the computer program 231 is a so-called“shareware” application, in which certain modules providing certainfunctionality are disabled until the user supplies an authorizationcode. Usually the authorization code is supplied by the creator of theprogram after the user makes a payment. In accordance with theinvention, the authorization code is embedded in the watermarked signal120, which preferably is a commercial for the computer program 231.

Another example involves the gaming device 220. This device 220 could bea hand-held gaming console, an arcade game machine or a computer programrunning on a general purpose or specially adapted computer. Of coursethe gaming device 220 usually operates essentially in the same way asthe personal computer 230, so the license codes could also be suppliedto the gaming device 220 to enable execution of particular games, or toallow access to certain parts of a game (which are modules of the gamesoftware). For example, extra “levels” in the game could be madeavailable.

Many electronic games have so-called “cheat functions”. Using thesefunctions a player could for example easily get extra weapons or otherobjects for use in the game, earn extra points, walk through walls, getaccess to a map of the entire gaming environment, and so on. Typicallythe code necessary to activate a cheat function is supplied by pressinga specific sequence on a keyboard and/or operating a joystick in aparticular way. In accordance with the invention, this code is suppliedby the verifying device 130.

One particularly useful extension of this example involves televisionprograms that discuss and/or review electronic games. A popular featurein such programs is providing cheat codes. In prior art systems this isdone by verbally or graphically listing the keyboard sequences necessaryto activate the cheat function. However, the invention makes it possibleto embed the cheat code in the television program at the appropriatemoment, so that the verifying device 130 can pick up the signal, extractthe cheat code and supply the extracted code to the gaming device 220.

If the verifying device 130 is embodied as a part of the gaming device220, then a player wishing to obtain a cheat code merely needs to watchthe television program and use his gaming device 220 to pick up thesignal when the cheat codes are being supplied. The gaming device 220will then automatically detect the cheat codes.

Another useful application of the method according to the inventionallows controlling access to copy protected multimedia objects likemusic, movies and so on. A digital rights management (DRM) systeminstalled in the content playback apparatus 210 enforces restrictions oncopying and/or playback of multimedia objects 212 e.g. stored in storagemedium 211. These restrictions can be provided by embedding them in themultimedia objects using watermarking technology. For example, amultimedia object 213 could be made available for free on a web site,with the restriction that it can only be played back during the nextweek embedded in the object 213.

If a user attempts to play back that multimedia object 213 after thattime period, the DRM system prohibits this. From that moment on the usermust obtain authorization for playback in some other fashion, usually bybuying a playback right from the copyright holder. In accordance withthe invention, the authorization code comprises such a playback right.For example, if a radio station to which the user is listeningbroadcasts a specimen of the multimedia object 213, a one-time playbackright could be embedded in the broadcast signal. The verifying device130 picks up the one-time playback right and supplies it to the DRMsystem, so that the user gets an opportunity to play back the multimediaobject 213 once.

This approach can, next to playback rights, also be used for copyingrights. This allows the user to make a copy of a multimedia object whena signal comprising the appropriate authentication code is broadcast ortransmitted to him otherwise.

Preferably the signal comprises an advertisement related to themultimedia object. For example, a record label might release a compactdisc with a number of songs by one particular artist or group. Topromote this release, advertisements are transmitted over radio and TVchannels. The potential audience for this release most likely alreadyhas several multimedia objects comprising particular songs in itspossession. By granting a one time playback right embedded in theadvertisement, the record label encourages its potential audience tolisten to its advertisements and whets the appetite for the compact discbecause the audience will use the playback right to listen to theparticular songs in its possession, and so become excited about theartist.

The verifying device 130 can also be connected to the cash register 240.The authorization code in that case preferably grants permission to thecash register 240 for applying a discount to a purchase being effectedusing the cash register 240. Using this embodiment an advertiser couldeasily offer discounts on his products by embedding discount codes intothe watermarked signal 120. Consumers can pick up the watermarked signal120 using the verifying device 130 and supply the extractedauthorization code at a store to a sales clerk operating the cashregister 240. The clerk subsequently enters the authorization code intothe cash register 240, so that the discount is applied to the price ofthe product.

In this embodiment it may be advantageous to fit the verifying device130 with the display on which the access control module 133 can displaythe authorization code. Alternatively, using a wired or wirelessconnection (for example using Bluetooth) the access control module 133could feed the authorization code directly to the cash register 240.

Preferably the permission is limited in time. This can be realized byadding a timestamp to the authorization code. A timestamp usuallyindicates the time at which the permission becomes valid, and/or thetime at which the permission ceases to be valid. Alternatively, thetimestamp could comprises a time period during which the permission isvalid.

If the access control module 133 detects that a timestamp was added tothe authorization code, it compares the timestamp against the currenttime as measured in the verifying device 130. This may require theinstallation of a real-time clock in the verifying device 130. If thecurrent time exceeds the latest time at which the permission is validaccording to the timestamp, the authorization code is rejected asinvalid because it has expired.

The authorization code alternatively comprises an indication that apreviously granted permission is to be revoked. The access controlmodule 133 then revokes this permission. In the example involvingcomputer program 231, this could be realized by signaling to the licensemanager that the license code for the computer program 231 is to bedeleted, revoked or disabled.

Access control module 133 could also keep track of the time at which anauthorization code was received, and automatically revoke a permissiongranted by an authorization code if the current time exceeds a certainamount of time after the time at which the code was received. If theauthorization code comprises a timestamp indicating the end of thevalidity period, the access control module 133 automatically revokes thepermission when the time indicated in the timestamp is reached.

It is to be expected that users will try to avoid receivingauthorization codes that revoke previously granted permissions. One wayto overcome this problem is to provide a positive authorization togetherwith the revocation. For example, if the authorization code revokespermission to execute a beta or test version of a computer program, itcould at the same time grant permission to execute the official releaseversion of that computer program. This way a beta tester is encouragedto allow revocation of the beta version. Preferably this furtherauthorization is delayed until a predetermined time has elapsed afterthe revocation took place.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe able to design many alternative embodiments without departing fromthe scope of the appended claims. For example, multiple authorizationcodes could be embedded in one or multiple watermarks in the signal.Next to an authorization code embedded in a signal using a watermark,additional codes could be provided in other channels, such as by usingaudible signals, by providing them in a Teletext channel, or visuallyshowing them in a video signal or in an image. Different verifyingdevices could authorize different operations based on one authorizationcode in one signal received by both.

Rather than, or in addition to, being limited in time, the authorizationcan also be limited in space. This can be realized by e.g. adding anaddress on a computer network (like an IP address or hostname) to theauthorization code, or by including Global Positioning Systemcoordinates in the authorization code. The authorization code can alsocontain one or more other properties of the verifying device 130 tolimit the scope of the authorization.

If the authorizations are limited in time, it becomes possible torequire owners of the device 140 to periodically expose themselves tocontent with new authorizations. For instance, a toy could be given awayfor free with an initial authorization in place that is limited in time(say, a week). After that, the owner of the toy must periodically visita location in which the device 114 is installed, preferably a fast foodrestaurant or toy store.

The signal 120 produced by the device 114 grants the toy a newtime-limited authorization so it operates for another week. If the ownerdoes not visit the location every week, the toy ceases functioning orlimits its abilities.

In the claims, any reference signs placed between parentheses shall notbe construed as limiting the claim. The word “comprising” does notexclude the presence of elements or steps other than those listed in aclaim. The word “a” or “an” preceding an element does not exclude thepresence of a plurality of such elements.

The invention can be implemented by means of hardware comprising severaldistinct elements, and by means of a suitably programmed computer. Inthe device claim enumerating several means, several of these means canbe embodied by one and the same item of hardware. The mere fact thatcertain measures are recited in mutually different dependent claims doesnot indicate that a combination of these measures cannot be used toadvantage.

1. A method of controlling access to a resource signal, comprisingembedding an authorization code in a signal by means of a watermark andtransmitting the watermarked signal to a verifying device, and in theverifying device, extracting the authorization code from the watermarkedsignal and authorizing an operation to be performed on the resourcesignal in dependence on the extracted authorization code, the resourcesignal including media content and being distinct from the watermarkedsignal.
 2. The method of claim 1, in which the resource signal comprisesa computer program and the authorization code causes the verifyingdevice to grant permission for executing the program.
 3. The method ofclaim 1, in which the resource signal comprises a computer program andthe authorization code causes the verifying device to grant permissionfor activating a module of the computer program.
 4. The method of claim1, in which the resource signal comprises an electronic game and theauthorization code causes the verifying device to grant permission foractivating a cheat function in the electronic game.
 5. The method ofclaim 1, in which the resource signal comprises a multimedia object andthe authorization code causes the verifying device to grant permissionfor at least one of: a rendering of the multimedia object and the makingof a copy of the multimedia object.
 6. The method of claim 2, in whichthe permission is limited in time.
 7. The method of claim 1, in whichthe resource signal comprises a computer program and the authorizationcode causes the verifying device to revoke a previously grantedpermission for executing the program.
 8. The method of claim 7, in whichthe authorization code further causes the verifying device to authorizea further operation to be performed on the resource signal.
 9. Themethod of claim 1, in which the signal comprises an advertisementrelated to the resource signal.
 10. A verifying device arranged forcontrolling access to a resource signal, comprising receiving means forreceiving a watermarked signal, watermark detection means for detectingan authorization code embedded in the watermarked signal, and accesscontrol means for authorizing an operation to be performed on theresource signal in dependence on the extracted authorization code, theresource signal including media content and being distinct from thewatermarked signal.
 11. The verifying device of claim 10, in which theauthorization code comprises a timestamp and the access control meansare arranged for authorizing the operation further in dependence on acomparison of the timestamp against a current time.
 12. A computerprogram product arranged for causing a general purpose computer tofunction as the verifying device of claim 9.